Troubleshooting Firewall Configuration Issues - Motorola RFS7000 Series Troubleshooting Manual

6.4 Troubleshooting Firewall Configuration Issues

Motorola recommends adhereing to the following guidelines when dealing with problems related to RFS7000
Firewall configuration:
A Wired Host (Host-1) or Wireless Host (Host-2) on the untrusted side is not able to connect
to the Wired Host (Host-3) on the trusted side
1. Check that IP Ping from Host1/Host2 to the Interface on the Trusted Side of the RFS7000 switch works.
CLI (from any context) - ping <host/ip_address>
2. If it works then there is no problem in connectivity.
3. Check whether Host-1/Host-2 and Host-3 are on the same IP subnet.
If not, add proper NAT entries for configured LANs under FireWall context.
4. After last step, check again, that IP Ping from Host1 to the Interface on the Trusted Side of the RFS7000
switch works.
If it works then problem is solved.
A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host (Host-
2) or Wired Host (Host-3) on the untrusted side
1. Check that IP Ping from Host1 to the Interface on the Untrusted Side of the switch works.
2. If it works then there is no problem in connectivity.
3. Now check whether Host-1 and Host-2/Host-3 are on the same IP subnet.
If not, add proper NAT entries for configured LANs under FireWall context.
4. Once step 3 is completed, check again, that IP Ping from Host1 to the Interface on the Untrusted Side of
the switch works.
If it works then problem is solved.
Disabling of telnet, ftp and web traffic from hosts on the untrusted side does not work.
1. Check the configuration for the desired LAN under FW context (which is under configure context).
CLI - configure fw <LAN_Name>
2. Check whether ftp, telnet and web are in the denied list. In this case, web is https traffic and not http.
3. Ensure that "network policy" and "Ethernet port" set to the LAN is correct.
How to block the request from host on untrusted to host on trusted side based on packet
classification.
1. Add a new Classification Element with required Matching Criteria
2. Add a new Classification Group and assigned the newly created Classification Element. Set the action
required.
3. Add a new Policy Object. This should match the direction of the packet flow i.e. Inbound or Outbound.
4. Add the newly created PO to the active Network Policy.
5. Associate WLAN and Network Policy to the active Access Port Policy.
Any request matching the configured criteria should take the action configured in the Classification
Element.
6-5
Security Issues